cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rajesh Battala (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-5403) Shared network - None of PF, LB rules work after router restart, firewall rules dropped from iptables post restart
Date Tue, 10 Dec 2013 09:25:13 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13844119#comment-13844119
] 

Rajesh Battala commented on CLOUDSTACK-5403:
--------------------------------------------

Thanks [~sowmyak] for the update. 

> Shared network - None of PF, LB rules work after router restart, firewall rules dropped
from iptables post restart
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-5403
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5403
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server, Network Controller
>    Affects Versions: 4.3.0
>         Environment: Advanced zone, shared network on Hyper-V
>            Reporter: Sowmya Krishnan
>            Assignee: Rajesh Battala
>            Priority: Critical
>             Fix For: 4.3.0
>
>         Attachments: iptables_after_restart.gz, iptables_before_restart.gz, restart_vr.log.gz,
restart_vr_agent.log.log
>
>
> None of PF, LB or firewall rules work after router is restarted in shared network, advanced
zone
> Steps:
> Create a shared network in advanced zone
> Acquire IP
> Create PF and corresponding Firewall rule
> Acquire another IP
> Create LB and corresponding Firewall rule
> Ensure all the rules work
> Restart router
> Check all rules
> Result:
> None of PF or LB rules work after router restart
> I've tested this only in Hypev-V so far. I'll update the bug in case I am able to test
in any other hypervisor as well.
> The following rules are dropped from iptables FORWARD chain after restart:
> ACCEPT     tcp  --  anywhere             shareduser1vm1       state RELATED,ESTABLISHED
/* 10.102.196.239:888:888 */
> ACCEPT     tcp  --  anywhere             shareduser1vm1       tcp dpt:http state NEW
/* 10.102.196.239:888:888 */
> So also the firewall rules corresponding to the LB rule source ip
> The rules themselves exist in DB though:
> mysql> select * from firewall_rules;
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> | id | uuid                                 | ip_address_id | start_port | end_port |
state  | protocol | purpose        | account_id | domain_id | network_id | xid           
                      | created             | icmp_code | icmp_type | related | type | vpc_id
| traffic_type |
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> |  1 | b9082345-8a3d-4f6d-9b64-3d2d98e65d2d |             5 |        888 |      888 |
Active | tcp      | Firewall       |          4 |         2 |        205 | 5cf27b56-4d37-4ec1-bdf8-ede0407f0115
| 2013-12-06 06:51:40 |      NULL |      NULL |    NULL | User |   NULL | Ingress      |
> |  2 | 5b657e22-649a-4cd4-b23c-2416243f48ba |             5 |        888 |      888 |
Active | tcp      | PortForwarding |          4 |         2 |        205 | aad0e89d-f0df-4ee2-949d-39f129a1383a
| 2013-12-06 06:52:13 |      NULL |      NULL |    NULL | User |   NULL | NULL         |
> | 13 | 42f795f9-45e6-471f-9b17-4ce631a09531 |             6 |        888 |      888 |
Active | tcp      | Firewall       |          4 |         2 |        205 | 0802945b-23b8-4b95-9441-f6b89e66d806
| 2013-12-06 11:27:08 |      NULL |      NULL |    NULL | User |   NULL | Ingress      |
> | 14 | 9f5aa3dd-b8e9-4193-b635-c5fd7e188f35 |             6 |        888 |      888 |
Active | tcp      | LoadBalancing  |          4 |         2 |        205 | ef7067b9-38b3-4d42-b8ee-5bfe44a817fa
| 2013-12-06 11:27:53 |      NULL |      NULL |    NULL | User |   NULL | NULL         |
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> 4 rows in set (0.00 sec)
> mysql> select * from load_balancing_rules;
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> | id | name     | description | default_port_start | default_port_end | algorithm  |
source_ip_address | source_ip_address_network_id | scheme | lb_protocol |
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> | 14 | lbshared | NULL        |                 80 |               80 | roundrobin |
NULL              |                         NULL | Public | NULL        |
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> 1 row in set (0.00 sec)
> mysql> select * from port_forwarding_rules;
> +----+-------------+-----------------+-----------------+---------------+
> | id | instance_id | dest_ip_address | dest_port_start | dest_port_end |
> +----+-------------+-----------------+-----------------+---------------+
> |  2 |           5 | 10.102.198.2    |              80 |            80 |
> +----+-------------+-----------------+-----------------+---------------+
> 1 row in set (0.00 sec)



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Mime
View raw message